Security Roundup - 2016-07-28

KeePass, a password management system, is getting a code audit thanks to a pilot project by the European Parliament. Other projects proposed to be audited include the Apache HTTP server, Linux and MySQL.

Do you allow data to be exported as a CSV? Then you might be subjecting your users to CSV injection exploits. Essentially, if someone can insert data that is not sanitized, if it is exported and opened by something like Excel, it could execute arbitrary code on the recipient’s machine.

NIST has issued a new draft of secure communication guidelines, most norably tightening up 2-Factor auth recommendations by suggesting the deprecation of SMS 2-Factor auth. Since social engineering has allowed call forwarding of SMS attacks this sounds like a good recommendation.

A few stories about bug bounties this week, with Uber fixing a bug allowing customer password resets and PHP having two remote code execution bugs involving the garbage collector.

With the rise of car hacks, the CEO of GM has now said that these incidents are not just a consumer or an automaker problem, but a matter of public safety. This week, the Alliance of Automobile Manufacturers has apparently released a set of security best practices for vehicles.

Meanwhile, Bruce Schneier has a thoughtful article on security in the Internet of Things. Essentially with the proliferation of connected devices, since they also can interact with each other, the footprint of things that can be exploited (sometimes in unexpected ways) is expected to increase. Since these devices are also automated, this makes it easier for attackers to execute some unintended (to the device owner) behavior before they can even react. We have seen this with a number of stories in the last year, from the remote camera takeovers to medical devices being infiltrated and we should expect those stories to continue.

As an example on how ubiquitous connected systems are….. do you use a wireless keyboard? Someone could eavesdrop on everything you type as well as execute keystrokes from 250 feet away using less than $100 of equipment. Researchers testing a number of currently available models found a complete lack of encryption in 8 out of 12 they tested.

In responsible disclosure news, Google security researchers have discovered a remote execution bug in LastPass. The two companies are working on a fix.

Talos Intel has a great article on tracking down ties between different malware, where they discover relationships between Jigsaw, Ranscam and AnonPop.

As always, Bleeping Computer has the best ransomware roundup. Beyond the new variants, and unlockers, it appears that the Stampado family that was selling for cheap already has a decryptor.

Security Roundup - 2016-07-20

Last week I happened to miss this great interview with Mårten Mickos, the CEO of the HackerOne bug bounty platform. This week, HackerOne has announced their ‘Hack the World’ competition, where all reports submitted on the platform from now until September 19th will give you an opportunity for further prizes.

Automotive security seems to be ramping up, with several bug bounties related to them, as well as security vendors selling solutions aimed at manufacturers.

Watcher of Mr. Robot? You might be interested in this article detailing the amount of realism that goes into making the show.

Google is apparently experimenting with post-quantum computing crypto. They have started to roll out a new encryption algorithm called “Ring Learning with Errors” that users of ‘Chrome Canary’ will be able to take advantage of, while Google gets a better sense of ‘real world performance’.

More security appliance problems recently. The first from Juniper, where specially crafted authentication certificates would allow anyone to connect to the network. The second comes from Cisco, where an attacker could crash routers, also another vulnerability where attackers could actually modify settings using SNMP.

New problems with old RFCs lead to the ‘httpoxy’ vulnerability reported this week. This is apparently due to the documented behavior for CGI handling headers is to append ‘HTTP_’ to them, thus making ‘PROXY’ into ‘HTTP_PROXY’, which is an actual environment variable for configuring an outbound proxy. This potentially means that for certain CGI apps, an attacker could configure a host to send all outbound http requests through a proxy they specify. Cloudflare and Akamai customers are already automatically protected.

BreakingMalware has recently discovered that the usage of ‘hooks’, a method to intercept and monitor system calls, commonly used for things such as Antivirus are exploitable

In more machine learning and cybersecurity news, a few companies point out it is likely to be more of a hybrid approach between automated algorithms and human review. The automated algorithms work to surface the most important stuff, weed out false positives, and flag everything else for reviews by the human element, with the human element providing said review to produce a feedback loop to improve results. The advanced problem is creating systems that aren’t able to just detect known problems, but to flag new things that are not initially noticed as problems, similar to antivirus movement away from signatures to more robust forms of malware detection.

2016 has been a big year for Ransomware and Checkpoint has put together a good writeup of executable evolution. It is an interesting read contrasting the one set of ransomware becoming more difficult, while others are going for simplicity and effectively using the social lever of fear to just get them to pay up quickly.

Researchers from the University of Florida have put together a ransomware detection system. Rather than basing it on signatures, their system (dubbed CryptoDrop) monitors for behavioral changes, such as mass deletions or certain transformations which are indicative of ransomware. They claim to detect more than 500 variants from 14 families, with small amount of file loss (median of 10 files).

As always BleepingComputer has the best ransomware roundup. This week includes ransomware faking other ransomware, new evolutions to existing ransomware, and CryptXXX releasing free decryption keys for old variants.

I’ll be at this year’s HOPE conference. Lots of great talks, and hope to meet some interesting people!

Security Roundup - 2016-07-14

Troy Hunt recently released unverified breaches for HaveIBeenPwned, due to the recent Badoo breach, where the dataset lies somewhere between a hoax and “can’t be conclusively verified”. The article is another interesting read in the steps he takes to verify breaches.

Datadog has recently suffered a potential breach, but is learning from the other breaches lately by invalidating all user passwords proactively.

Wendy’s was suspected of a breach in some of their PoS systems starting in 2015, and new reports indicate it is very, very bad, with more than 1000 locations impacted. Wendy’s currently blames a third party service provider that manages the PoS terminals for a number of franchises.

Phishing is still a leading way to gain access to a company. Now, DUO Security has launched a free phishing assessment tool called DUO Insight. They’ve also published an article sharing some interesting observations, including that 17% of targetted users actually entered credentials, out of date browsers/software detected on end user computers, and a few ways to make a phishing attempt more likely to succeed.

Some enterprising researchers recently created some TOR hidden service honeypots and, after making a bunch of requests through the TOR, found that their hidden services eventually came under attack. Their conclusion: there are TOR nodes designed to spy and find hidden services. They are scheduled to present at DefCon this year. While the TOR developers are working to strengthen the system, MIT researchers have announced the development of a potential successor, building on the lessons learned from TOR.

As voice activated assistants become more pervasive, security researchers have demonstrated voice based attacks, where they are able to play a muddled video sample that humans can’t interpret but the voice assistant can. The video demonstrates opening up a website, which could introduce additional code to the device.

Microsoft’s patch Tuesday includes this interesting Print Spooler exploit where an attacker could write a service to masquerade as a printer and cause a machine to download ‘printer drivers’ which could be any sort of executable that the system would trust.

Law enforcement and insurance companies seem to be catching up to the fact that weak electronic vehicle security is leading to an increase in thefts.

As always, BleepingComputer has the best ransomware roundup. New families from the makers of Cerber. CryptXXX changes, in that no special extension being used to evade detection. CryptoFinancial, a variant that actually deletes your files!

Security Roundup - 2016-07-07

More hardware security vulnerabilities this with, with a firmware problem on certain Gigabyte motherboards impacting such laptops as the Lenovo Thinkpad series and HP Pavilion laptops, allowing for the disabling of numerous security protections and running of arbitrary code. Also, Duo labs reports that a large number of Android devices are vulnerable to previously patched CVEs (specifically, this Qualcomm exploit that undermines full disk encryption, as they have yet to receive an update and may never do so due to the way OEM/carrier patch rollouts work.

As the volume of threat intelligence increases, more groups turn to machine learning to try to sort the signals from noise. MIT’s Computer Science and Artificial Intelligence Lab have apparently developed a system called AI^2 which apparently is able to monitor logs and detect 85% of of attacks, allowing for a reduction of what needs to be reviewed by human beings.

My co-worker, Josh Rendek, recently put together a presentation on a side project of his called sshpot. He has followed up by writing up some of his thoughts, process, and findings from building an SSH honeypot.

TrapX labs has released a report entitled “Anatomy of an Attack – Medical Device Hijack 2”, giving an update on their observations of Hospital focused malware. Interestingly, they are seeing old exploits delivering new payloads, seemingly a result of medical devices being older Windows devices in many cases.

DARPA apparently running a ‘Cyber Grand Slam’ in August, where bots will compete to automatically exploit vulnerabilities, as well as defend against them on the fly. I am looking forward to the reports and follow up of this event.

TrustWave has an interesting article on reverse engineering the Hawkeye Keylogger which is also using very old exploits to try to install itself.

Login security basics: Long passwords, HTTPs, password hashing. Right? Troy Hunt has a long week of appsec issues, where various players forget the basics.

Interested in smart appliances, but worried about security? This week I learned of Matther Garret, a security researcher in SF that has started writing security oriented product reviews about IoT devices.

I knew Domain Hijacking was a thing, but this week I learned that bad actors also try to hijack IPv4 netblocks. Simply by checking for unmaintained WHOIS records, registering the lapsed domain and posing as the legitimate company, attackers are apparently able to successfully flip IPv4 addresses to buyers.

As always, BleepingComputer has the best Ransomware Roundup. This week includes new Locky Variants, a ransomware named ‘EduCrypt’ that attempts to educate users on malware, numerous decryptors for the numerous variants, and Satana a ransomware that not only encrypts your files, but encrypts a machines Master Boot Record to prevent users from starting up their operating system.

Security Roundup - 2016-06-30

Apple makes further security transparency strides by leaving their next iOS kernel unencrypted. Apple has previously obscured this, but the hope is that with a more open kernel, security researchers will have an easier time finding and reporting security issues. Some security researchers say, however, that this could lead to additional attacks against the OS. Kasperksy collects some further arguments on either side.

Uber’s bug bounty program has resulted in some interesting results from researchers. Sophos labs has a nice writeup of one team’s findings, using a number of smaller leakages to work up to a larger data leakage. Going back to their original post detailing their overall process is a great read as well, including a brute force promo code vulnerability, the ability to track where drivers have been, as well as trip history of other users.

TOR has added ‘Selfrando’ to strengthen the user browser. This technique involves randomizing the location of code in memory. This prevents ‘code re-use’ attacks, where an attacker can target known code loaded in memory to try to make it do unexpected things.

Rapid 7 has done some follow up on the recent discovery of being able to issue administrative commands to ClamAV remotely by scanning the internet for exposed nodes and performing some analysis. In general, under 6k nodes across the entire internet are exposed. They believe a number of these are systems that the owner doesn’t realize ClamAV is installed on (or have forgotton).

Related, Symantec has announced that a number of products are subject to a system level vulnerability. This is related to a number of archive software vulnerabilities, which can cause malicious code to be executed just by Symantec AV scanning it. Since the scanner runs with elevated privileges, this allows an exploit to compromise the entire machine.

DDoSes are still a popular attack method, but Sucuri has been surprised by the rise in IoT device participation in said attacks. where a recent attack included 25K compromised CCTV cameras.

In another great article by Sucuri, malicious ads appear to be hosted on parked/expired domains. Findings include a CMS template that linked third party content that was no longer maintained, and so bought up by someone monitoring for expired domains with live links. The importance of hosting your own assets, vs hotlinking, though the W3C just recommended the usage of Subresource Integrity of assets to verify that some asset that is delivered is the one expected. Usage of SRI would protect over 50% of web browser traffic.

The Talos research group has an excellent article on how malware uses DNS to exfiltrate data and how one can use Passive DNS to detect these attacks.

Malware Bytes put together an amazing infographic on the Bonnie and Clyde of Advanced Threats. Malvertising and Ransomware, two threats that multiply their overall potential together. Shockingly, they estimate that 70% of malvertising campaigns are delivering ransomware now.

As always, BleepingComputer has the best roundup of ransomware. This week includes the return of Necurs and Locky, as well as multiple new types of ransomware.

Page 17 of 23